|
| |
#!/bin/bash
####################### Ingress side ########################
iptables -t mangle -A INPUT -i eth2 -s 10.2.0.0/24 -j MARK --set-mark 3
iptables -t mangle -A INPUT -i eth2 -s 10.2.0.24 -j MARK --set-mark 1
iptables -t mangle -A INPUT -i eth2 -s 10.2.0.3 -j MARK --set-mark 2
tc qdisc add dev eth2 handle ffff: ingress
tc filter add dev eth2 parent ffff: protocol ip prio 50 handle 3 fw \
police rate 1500kbit burst 90k mtu 9k drop flowid :1
######################## Egress side ########################
tc qdisc add dev eth1 handle 1:0 root dsmark indices 64
tc class change dev eth1 classid 1:1 dsmark mask 0x3 value 0xb8
tc class change dev eth1 classid 1:2 dsmark mask 0x3 value 0x28
tc class change dev eth1 classid 1:3 dsmark mask 0x3 value 0x48
tc filter add dev eth1 parent 1:0 protocol ip prio 4 handle 1 fw classid 1:1
tc filter add dev eth1 parent 1:0 protocol ip prio 4 handle 2 fw classid 1:2
tc filter add dev eth1 parent 1:0 protocol ip prio 4 handle 3 fw classid 1:3 |
| |
|
| |
| This example is a slight variation from the previous one. This time the core
router is configured to police some traffic entering the domain.
First three commands are similar than before using iptables to mark
the fw field of the entering packets. |
| |
| To continue, the differences begin, because an ingress queuing
discipline is implemented to police traffic using a single element filter.
This policer, matching fw 3 packets, controls traffic from network
10.2/24 but excluding hosts 10.2.0.24 and 10.2.0.3. This because traffic
from these hosts is marked as fw 1 and fw 2 respectively. The
police protects our domain not permitting that traffic beyond 1500kbps enter
from this network (drop police), unless they are coming from the two
selected hosts. The setting allows up to 90KB to burst and a minburst
(mtu) of 9KB. Have a look to the section TBF queuing
discipline for more information about the minburst parameter. |
|
|
|
|
